- Legislation bars DoD from using Kaspersky; FBI agents visit
employees of Russian cyber firm - The U.S. Senate Armed Services
Committee on Wednesday released its annual defense spending bill,
which reportedly contains a provision prohibiting the Department of
Defense from using any products from Moscow-based cybersecurity firm
Defense Contractors will be Held to Higher Cyber Standards - Defense
contractors will soon be held to the same cybersecurity standards
that the Defense Department has implemented in recent years,
according to a top IT official at the Pentagon.
Met Police Windows XP migration programme slows with 18,000 PCs
still running the antiquated operating system - The Metropolitan
Police is still running Windows XP on the majority of its PCs,
despite a migration programme that has been ongoing for some three
or more years.
After the WannaCry ransomware campaign, why aren't people patching?
- A massive ransomware campaign attacked countless endpoints for the
second time in just over a month, exploiting a vulnerability that
had been patched months earlier. SC asks, why does this keep
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 8tracks breach yields data on 18M accounts - Hackers accessed
8tracks's user database and pilfered information, including email
addresses and encrypted passwords, from at least 18 million accounts
signed up for the Internet radio service using email.
Information-stealing malware found targeting Israeli hospitals -
Researchers from Trend Micro have discovered a malware attack
targeting two Israeli hospitals with highly obfuscated
information-stealing malware that abuses LNK shortcut files.
Google staffers personal data exposed by third-party travel firm -
The details of Google employees have been left exposed by an agency
that looks after the search engine giant's travel bookings, it has
What Breach? AA fails to alert customers after server leaks card
data - Though the AA's shop was reportedly leaking payment card
data, the motoring association did not alert customers.
Bitthumb breach yields personal data on 30K, leads to funds scams -
Personal information on 30,000 customers of Bitthumb, billed as
South Korea's largest cybercurrency exchange, were likely exposed in
a recent hack of an employee's PC and used to trick customers and
pilfer their funds.
Indiana Medicaid patient information exposed - Indiana Medicaid
members may have had their healthcare records compromised when a
third-party vendor mistakenly made public a link to the data.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue the series
regarding FDIC Supervisory Insights regarding
Programs. (7 of 12)
Define what constitutes an incident.
An initial step in the development of a response program
is to define what constitutes an incident. This step is important as
it sharpens the organization's focus and delineates the types of
events that would trigger the use of the IRP. Moreover, identifying
potential security incidents can also make the possible threats seem
more tangible, and thus better enable organizations to design
specific incident-handling procedures for each identified threat.
The ability to detect that an incident is occurring or has occurred
is an important component of the incident response process. This is
considerably more important with respect to technical threats, since
these can be more difficult to identify without the proper technical
solutions in place. If an institution is not positioned to quickly
identify incidents, the overall effectiveness of the IRP may be
affected. Following are two detection-related best practices
included in some institutions' IRPs.
Identify indicators of unauthorized system access.
Most banks implement some form of technical solution, such
as an intrusion detection system or a firewall, to assist in the
identification of unauthorized system access. Activity reports from
these and other technical solutions (such as network and application
security reports) serve as inputs for the monitoring process and for
the IRP in general. Identifying potential indicators of unauthorized
system access within these activity or security reports can assist
in the detection process.
Involve legal counsel.
Because many states have enacted laws governing
notification requirements for customer information security
compromises, institutions have found it prudent to involve the
institution's legal counsel when a compromise of customer
information has been detected. Legal guidance may also be warranted
in properly documenting and handling the incident.
the top of the newsletter
FFIEC IT SECURITY
We continue our series on the FFIEC
interagency Information Security Booklet.
INTRUSION DETECTION AND RESPONSE
Automated Intrusion Detection Systems (IDS) (Part 2 of 4)
"Tuning" refers to the creation of signatures that
can distinguish between normal network traffic and potentially
malicious traffic. Proper tuning of these IDS units is essential to
reliable detection of both known attacks and newly developed
attacks. Tuning of some signature - based units for any particular
network may take an extended period of time, and involve extensive
analysis of expected traffic. If an IDS is not properly tuned, the
volume of alerts it generates may degrade the intrusion
identification and response capability.
Signatures may take several forms. The simplest form is the URL
submitted to a Web server, where certain references, such as
cmd.exe, are indicators of an attack. The nature of traffic to and
from a server can also serve as a signature. An example is the
length of a session and amount of traffic passed. A signature method
meant to focus on sophisticated attackers is protocol analysis, when
the contents of a packet or session are analyzed for activity that
violates standards or expected behavior. That method can catch, for
instance, indicators that servers are being attacked using Internet
control message protocol (ICMP).
Switched networks pose a problem for network IDS. Switches
ordinarily do not broadcast traffic to all ports, and a network IDS
may need to see all traffic to be effective. When switches do not
have a port that receives all traffic, the financial institution may
have to alter their network to include a hub or other device to
allow the IDS to monitor traffic.
Encrypted network traffic will drastically reduce the
effectiveness of a network IDS. Since a network IDS only reads
traffic and does not decrypt the traffic, encrypted traffic will
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
the series on the National Institute of Standards and Technology
Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
11.4.1 Human Resources
To ensure an organization has access to workers with the right
skills and knowledge, training and documentation of knowledge are
needed. During a major contingency, people will be under significant
stress and may panic. If the contingency is a regional disaster,
their first concerns will probably be their family and property. In
addition, many people will be either unwilling or unable to come to
work. Additional hiring or temporary services can be used. The use
of additional personnel may introduce security vulnerabilities.
Contingency planning, especially for emergency response, normally
places the highest emphasis on the protection of human life.
11.4.2 Processing Capability
Strategies for processing capability are normally grouped into five
categories: hot site; cold site; redundancy; reciprocal agreements;
and hybrids. These terms originated with recovery strategies for
data centers but can be applied to other platforms.
1. Hot site -- A building already equipped with processing
capability and other services.
2. Cold site -- A building for housing processors that can be
easily adapted for use.
3. Redundant site -- A site equipped and configured exactly like
the primary site. (Some organizations plan on having reduced
processing capability after a disaster and use partial redundancy.
The stocking of spare personal computers or LAN servers also
provides some redundancy.)
4. Reciprocal agreement -- An agreement that allows two
organizations to back each other up. (While this approach often
sounds desirable, contingency planning experts note that this
alternative has the greatest chance of failure due to problems
keeping agreements and plans up-to-date as systems and personnel
5. Hybrids -- Any combinations of the above such as using having a
hot site as a backup in case a redundant or reciprocal agreement
site is damaged by a separate contingency.
Recovery may include several stages, perhaps marked by increasing
availability of processing capability. Resumption planning may
include contracts or the ability to place contracts to replace